SlideShare una empresa de Scribd logo

Alfresco Certificates

Descargar como PPTX, PDF
Angel Borroy López
Angel Borroy López

This session will provide a guide to Alfresco truststores and keystores. Several live examples will be shown, including the replacement of existing cryptographic stores or certificates. Additionally, a troubleshooting configuration guide for mTLS communication will be provided.

Software
1 de 32
Angel Borroy Search Team Nov 5, 2020 Cryptographic stores in Alfresco Brown Bag
22 Cryptographic Stores in Alfresco In Theory • Electronic Certificates • Chain of Trust • Public and Private CAs • Cryptographic Stores • mTLS Protocol In Practice • When to use mTLS Communication • Cryptographic Tools • Alfresco KeyStores • Alfresco mTLS Configuration • Using Custom Certificates In Panic • Troubleshooting Java KeyStores
33 In Theory
4 $openssl x509 -inAlfresco_Client_Alfresco_CA.pem -text –noout Certificate: Data: Version:3(0x2) SerialNumber:4097(0x1001) SignatureAlgorithm:sha256WithRSAEncryption Issuer:C=GB,ST=UK,L=Maidenhead,O=AlfrescoSoftware Ltd.,OU=Unknown,CN=CustomAlfrescoCA Validity NotBefore:Jun3009:24:082020GMT NotAfter: Jun2809:24:082030GMT Subject:C=GB,ST=UK,O=AlfrescoSoftwareLtd.,OU=Unknown,CN=CustomAlfrescoRepositoryClient SubjectPublicKeyInfo: PublicKeyAlgorithm:rsaEncryption Public-Key:(1024bit) Modulus: 00:a2:89:cf:ff:8d:0b:f6:47:76:fd:66:5b:f5:b6: d8:26:9f:59:b1:3d:58:39:fa:7d:38:5e:0a:61:5e: 5c:dd:e5:50:c2:1c:0d:99:db:26:de:f2:3b:26:47: 5c:d1:8a:f6:e1:a5:04:ec:7c:60:3b:2a:5c:e3:7e: 97:26:59:3a:ed:d7:4a:69:c0:9e:47:5b:a0:03:64: 73:29:35:70:70:e7:1a:a4:b7:5a:c5:a5:08:52:9b: e7:95:72:7e:0d:a4:4d:b6:85:84:e7:c5:4c:7c:fc: 89:93:de:88:f9:c7:9b:52:1f:59:95:04:89:3a:96: b9:e6:a0:e9:e3:d4:08:3a:87 Exponent:65537(0x10001) X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeCertType: SSL Server NetscapeComment: OpenSSL GeneratedServerCertificate X509v3SubjectKeyIdentifier: 84:E1:8B:E1:3C:9E:66:20:79:8F:AE:C5:9E:06:50:23:F2:54:A1:72 X509v3AuthorityKeyIdentifier: keyid:2D:AC:E1:41:70:08:36:16:3F:E5:C9:A8:0C:B1:CF:CF:6B:A4:80:BC DirName:/C=GB/ST=UK/L=Maidenhead/O=AlfrescoSoftwareLtd./OU=Unknown/CN=CustomAlfrescoCA serial:94:78:32:24:4E:A5:07:2B X509v3KeyUsage:critical Digital Signature,KeyEncipherment X509v3ExtendedKeyUsage: TLSWebServerAuthentication X509v3SubjectAlternativeName: DNS:localhost SignatureAlgorithm:sha256WithRSAEncryption 12:4d:81:49:ca:e7:00:13:2e:74:1b:2a:de:41:a5:45:79:45: 34:1c:0b:58:30:a8:a0:a4:f2:52:36:ba:6c:e8:9b:7e:4c:15: 87:86:56:a4:e7:38:0d:13:e5:f3:d1:23:5f:f1:28:d8:d7:d6: 6f:a8:c9:21:ec:aa:9f:7d:4e:79:87:14:b7:d5:8f:e8:cc:67: 2e:1b:84:fd:de:ef:ab:c2:49:e4:8f:9e:a4:2e:49:ef:75:79: cd:7b:e2:a9:16:c6:14:94:2a:70:9e:1e:82:d8:d7:c5:54:b5: 30:bb:17:00:e1:86:5f:5c:c7:fe:da:12:35:6f:33:55:ca:11 Electronic Certificates X509 Certificate Issuer Name DN Common Name CN Distinguished Name DN Dates valid Private Key Public Key Key Usage Policies Issuer Signature This should match with Server DNS Name RSA 1024 bits with SHA 256 Keystore Truststore
5 Electronic Certificates: File Format .pem – Base64 encoded DER certificate, password .cer, .crt, .der – Binary DER form, password .p7b, .p7c – Base 64 Ascii file with PKCS#7, just for public certificate(s) or CRL(s) .p12 – PKCS#12, may contain certificate(s) (public) and private keys, binary format (ASN.1), password .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS) -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE----- -----BEGINRSAPRIVATE KEY----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDRSAPRIVATE KEY----- -----BEGINPKCS7-----MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDPKCS7-----
6 Public and Private CAs CA (Certificate Authority) is an entity that issues electronic certificates. Public CA • Trusted Third-Party for general public, mainly oriented to final users • Issued certificates are trusted by default in Operating Systems and Browsers • The information and services we provide on these servers is open in Internet Private CA • Trusted Third-Party for internal users and services • Issued certificates aren’t trusted by default, so you need to configure computers and servers in order to trust them • The information and services we provide on these servers is restricted to Intranet PUBLICPRIVATE
7 Chain of Trust A certificate must be traceable back to the trust root it was signed with. All public certificates in the chain [server, intermediate(s), and root] need to be present in the truststore. • Root Certificate: A root certificate is a digital certificate that belongs to the issuing Certificate Authority. • Intermediate Certificate(s): Intermediate certificates branch of root certificates like branches of trees. They act as middle- men between the protected root certificates and the server certificates issued. • Server Certificate – The server certificate is the one issued to the specific server -----BEGINRSAPRIVATE KEY----- MIICXAIBAAKBgQCiic//jQv2R3b9Zlv1ttgmn1mxPVg5+n04XgphXlzd5VDCHA2Z ... nD6OWE6wMqGqCkzz/QlGPaR4n3E4cnm8YgsCZJRwZ/Q= -----ENDRSA PRIVATEKEY----- -----BEGINCERTIFICATE----- MIID2DCCA0GgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwfzELMAkGA1UEBhMCR0Ix ... nh6C2NfFVLUwuxcA4YZfXMf+2hI1bzNVyhEZCQ== -----ENDCERTIFICATE----- -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE-----
8 Cryptographic Stores Java KeyStores are used to store key material and associated certificates. • Each key store has an overall password used to protect the entire store, and can optionally have per-entry passwords for each secret- or private-key entry. • Java Key Store (JKS) • The original Sun JKS (Java Key Store) format is a proprietary binary format file that can only store asymmetric private keys and associated X.509 certificates. • JCE Key Store (JCEKS) • Sun later updated the cryptographic capabilities of the JVM with the Java Cryptography Extensions (JCE). With this they also introduced a new proprietary key store format: JCEKS. • PKCS#12 • Apart from these proprietary key stores, Java also supports standard PKCS#12 format >> In Alfresco both “keystore” and “truststore” file types are Java Keystores stored in one of the formats described above (JKS, JCEKS, PKCS12)
9 mTLS Protocol TLS Client Keystore Truststore Public Key Public Key Private Key TLS Server Keystore Truststore Public Key Public Key Private Key Hello message Server Public Key Client Public Key Key Validation Encrypted Data
1010 In Practice
11 When to use mTLS Communication HTTPdefaultINSECUREHTTPprotectedwithpass HTTPS protected with mTLS https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by-default/ba-p/287905
12 Cryptographic Tools Issuing certificates • keytool only supports self-signed certificates and a limited set of policies • openssl allows to create an internal CA and to issue certificates signed by this CA with a full set of policies Managing Certificates and Java KeyStores • Command line • keytool provides the ability to create Java Keystores (JKS, JCEKS, PKCS12) including public and private certificates • Window based programs (keytool wrappers) • Portecle • KeyStore Explorer https://docs.oracle.com/en/java/javase/11/tools/keytool.html https://www.openssl.org/docs/ http://portecle.sourceforge.net https://keystore-explorer.org/index.html
13 Alfresco KeyStores: Repository https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repoand so on) are not relevant, different ones can be used keystore • Not related with mTLS configuration, but with encrypting secrets* ssl.keystore • ssl.repo is the private key used to sign HTTP requests • ssl.alfresco.ca is the public key of the CA issuing the certificates ssl.truststore • alfresco.ca is the public key of the CA issuing the certificates • ssl.repo.client is the public key of the certificate used by SOLR as client * https://docs.alfresco.com/6.2/concepts/alf-keystores.html
14 Alfresco KeyStores: SOLR https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repo and so on) are not relevant, different ones can be used ssl-repo-client.keystore • ssl.repo.client is the private key used to sign HTTP requests • alfresco.ca is the public key of the CA issuing the certificates ssl-repo-client.truststore • ssl.alfresco.ca is the public key of the CA issuing the certificates • ssl.repo is the public key of the certificate used by Repository as client • ssl.repo.client is the public key of the certificate used by SOLR as client >> Zeppelin is connecting with the Alfresco Repository, so the KeyStores are the same from SOLR
15 Alfresco KeyStores: Browser https://github.com/Alfresco/alfresco-ssl-generator Connecting to SOLR Admin Web Console (by default available in https://127.0.0.1:8983/solr) requires a client certificate • This certificate needs to be installed in Windows, Mac OS X and Linux. • When using Mozilla Firefox, the certificate needs also to be installed in that browser.
16 Alfresco mTLS https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 CLASSIC
17 Alfresco mTLSCURRENT
18 Apache HTTP Client in alfresco.war configuration to send HTTPs queries to SOLR Alfresco mTLS: Repository Properties https://github.com/Alfresco/alfresco-community-repo/blob/8.307/repository/src/main/resources/alfresco/repository.properties#L719 #default keystoreslocation dir.keystore=classpath:alfresco/keystore # general encryption parameters(keystore) encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator encryption.keyAlgorithm=AES encryption.cipherAlgorithm=AES/CBC/PKCS5Padding # secretkey keystore configuration encryption.keystore.location=${dir.keystore}/keystore encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties encryption.keystore.provider= encryption.keystore.type=pkcs12 # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.provider= encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.provider= encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties # SOLRConfiguration solr.port.ssl=8984 solr.secureComms=https ENCRYPTION PROPERTIES Not related with mTLS Configuration Required even when not using mTLS KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key alfresco-global.properties docker-compose.ymlCLASSIC
19 Tomcat Server configuration to receive HTTPs queries from SOLR Alfresco mTLS: Tomcat Repository Connector $ cat /usr/local/tomcat/conf/server.xml ... <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"> </Connector> </Service> </Server> KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key server.xml Dockerfile TOMCAT CONNECTOR TLS Configuration CLASSIC
20 Apache HTTP Client in solr.war configuration to send HTTPs indexing requests to Alfresco Alfresco mTLS: SOLR Properties https://github.com/Alfresco/SearchServices/blob/2.0.0/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties#L44 # ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=JCEKS alfresco.encryption.ssl.keystore.provider= alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties # ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=JCEKS alfresco.encryption.ssl.truststore.provider= alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties # AlfrescoRepositoryconfiguration alfresco.port.ssl=8443 alfresco.secureComms=https KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solrcore.properties CLASSIC
21 Jetty Server configuration to receive HTTPs queries from Alfresco Alfresco mTLS: Jetty SOLR Server $ cat /opt/alfresco-search-services/solr.in.sh # ssl.repo.client.keystore SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.keystore SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE_PASSWORD=password # ssl.repo.client.truststore SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.truststore SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_TRUST_STORE_PASSWORD=password # Jetty mTLS configuration SOLR_SSL_NEED_CLIENT_AUTH=true KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solr.in.sh solr.in.cmdCLASSIC
22 Alfresco mTLS: SOLR Endpoints Apache HTTP Client from alfresco.war is sending signed HTTPs requests to SOLR Jetty server Search Queries https://127.0.0.1:8983/solr/alfresco/afts https://127.0.0.1:8983/solr/alfresco/browse https://127.0.0.1:8983/solr/alfresco/cmis https://127.0.0.1:8983/solr/alfresco/query https://127.0.0.1:8983/solr/alfresco/select SQL Queries https://127.0.0.1:8983/solr/alfresco/sql Admin Actions https://127.0.0.1:8983/solr/admin
23 Alfresco mTLS: Repository Endpoints Apache HTTP Client from solr.war is sending signed HTTPs requests to Alfresco Tomcat server Indexing requests https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets https://127.0.0.1:8443/alfresco/service/api/solr/acls https://127.0.0.1:8443/alfresco/service/api/solr/aclsReaders https://127.0.0.1:8443/alfresco/service/api/solr/metadata https://127.0.0.1:8443/alfresco/service/api/solr/model https://127.0.0.1:8443/alfresco/service/api/solr/modelsdiff https://127.0.0.1:8443/alfresco/service/api/solr/nodes https://127.0.0.1:8443/alfresco/service/api/solr/textContent https://127.0.0.1:8443/alfresco/service/api/solr/transactions
24 Alfresco mTLS: Sharding mTLS Configuration can be applied to SOLR Shards in the same way. • The same KeyStores can be used for every Shard • A new certificate ssl.client.repocan be generated for each Shard • You need to add these new certificates to Alfresco Repository truststore (ssl.truststore) Sample configuration using DB_ID for two shards is available in: https://github.com/aborroy/solr-sharding-docker-compose/tree/master/ssl_db_id
25 DEMO TIME: Using Custom Certificates 1 - Starting with a working mTLS configuration • Docker Compose for Alfresco Repository • ZIP Distribution file for Alfresco Search SOLR 2 - Create new KeyStores with different values 3 - Copy the new KeyStores but preserve encryption resources: keystore and keystore-passwords.properties 4 - Modify configuration in Alfresco Repository, Apache Tomcat, Alfresco Search SOLR and Jetty • Use pkcs12 as KeyStore Type • Use password as password for the KeyStores CLASSIC $ ./run.sh -alfrescoversioncommunity -keysize 4096 -keystoretype PKCS12 -keystorepass password -truststoretypePKCS12 -truststorepasspassword -alfrescoformatclassic https://github.com/Alfresco/alfresco-ssl-generator
2626
27 Common mistakes: Searching If you are experimenting problems when searching from Alfresco, Share or from the REST API: • Review Alfresco Repository configuration > alfresco-global.properties • Review SOLR Jetty configuration > solr.in.sh|solr.in.cmd https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 solr.port.ssl=8983 solr.secureComms=https dir.keystore=/usr/local/tomcat/alf_data/keystore # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore SOLR_SSL_TRUST_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore SOLR_SSL_KEY_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_NEED_CLIENT_AUTH=true
28 Common mistakes: Indexing If you are experimenting problems when indexing from SOLR: • Review Alfresco Tomcat configuration > server.xml • Review SOLR properties configuration > solrcore.properties https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" SSLEnabled="true" maxThreads="150" scheme="https" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" secure="true" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS" clientAuth="want" sslProtocol="TLS"> </Connector> alfresco.secureComms=https alfresco.port.ssl=8443 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.keystore.provider=JCEKS alfresco.encryption.ssl.truststore.type= alfresco.encryption.ssl.keystore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.truststore.provider=JCEKS alfresco.encryption.ssl.truststore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-truststore-passwords.properties alfresco.encryption.ssl.keystore.type= alfresco.encryption.ssl.keystore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-keystore-passwords.properties
29 Troubleshooting: cURL Testing the configuration with CURL Extract ssl.repo.client certificate from keystores/solr/ssl.repo.client.keystore in PEM format: $ curl -k --cert Custom_Alfresco_Repository_Client_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets?fromTime=0&toTime=1603454490108&maxResults=2000" In the other way, extract ssl.repo certificate from keystores/alfresco/ssl.keystore in PEM format $ curl -k --cert Custom_Alfresco_Repository_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8983/solr/alfresco/select?indent=on&q=@sys:node-dbid:101&wt=json"
30 Troubleshooting: Debugging Debugging the configuration The best approach to debug SSL Handshake is not using the Log4j categories, but setting this Java parameter for both Solr and Alfresco web apps: -Djavax.net.debug=ssl:handshake "ClientHello": { "clientversion" :"TLSv1.2", "random" : "79 4D93 54 F9 5983 0C 75 58 73 F8 DE3A 3C B695 57 8F 72 A4FE 92 BBD089 50 C3 A011 849C", "session id" : "49 6134 4C 45 80 A069 75 E3 92 C2 7DF6 2E04 70 3F 6C 4DA191 F0 B8CE79 1C 3B 15 0B 11 F5", "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), ... ]", "compression methods" : "00", "extensions" : [ ] } ) "ServerHello": { "server version" : "TLSv1.2", "random" : "30 8C EEE3 E3 08 6D38 FDBC47 5E 9AC5 4C A5AD14 3E 97 DB3E DAC9 BE61 F9 0F88 F3 25 10", "session id" : "", "cipher suite" : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)", "compression methods" : "00", "extensions" : [ "renegotiation_info (65,281)": { "renegotiated connection": [<no renegotiatedconnection>] }, "ec_point_formats (11)": { "formats": [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2] } ] }
31 Troubleshooting: Resources Alfresco Documentation https://docs.alfresco.com/search-community/tasks/solr-install.html https://docs.alfresco.com/search-community/concepts/solr-troubleshooting.html Alfresco Hub https://hub.alfresco.com/t5/alfresco-content-services-blog/creating-self-signed-ssl-certificates-for-solr/ba-p/288477 https://hub.alfresco.com/t5/alfresco-content-services-blog/using-ssl-with-alfresco-search-services-and-solr-6/ba-p/292687 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by- default/ba-p/287905 Blog posts https://angelborroy.wordpress.com/2016/06/15/configuring-alfresco-ssl-certificates/
Thank you!

Recomendados

Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Angel Borroy López
 
Architectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyondArchitectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyondStefan Kopf
 
Alfresco search services: Now and Then
Alfresco search services: Now and ThenAlfresco search services: Now and Then
Alfresco search services: Now and ThenAngel Borroy López
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in AlfrescoAngel Borroy López
 
Alfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfrescoUE
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoAngel Borroy López
 
Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019J V
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperToni de la Fuente
 

Recomendados

Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Discovering the 2 in Alfresco Search Services 2.0
Discovering the 2 in Alfresco Search Services 2.0Angel Borroy López
 
Architectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyondArchitectural changes in the repo in 6.1 and beyond
Architectural changes in the repo in 6.1 and beyondStefan Kopf
 
Alfresco search services: Now and Then
Alfresco search services: Now and ThenAlfresco search services: Now and Then
Alfresco search services: Now and ThenAngel Borroy López
 
(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in Alfresco(Re)Indexing Large Repositories in Alfresco
(Re)Indexing Large Repositories in AlfrescoAngel Borroy López
 
Alfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfresco Share - Recycle Bin Ideas
Alfresco Share - Recycle Bin IdeasAlfrescoUE
 
Collaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoCollaborative Editing Tools for Alfresco
Collaborative Editing Tools for AlfrescoAngel Borroy López
 
Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019Alfresco Transform Service DevCon 2019
Alfresco Transform Service DevCon 2019J V
 
Alfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperAlfresco Backup and Disaster Recovery White Paper
Alfresco Backup and Disaster Recovery White PaperToni de la Fuente
 
Upgrading to Alfresco 6
Upgrading to Alfresco 6Upgrading to Alfresco 6
Upgrading to Alfresco 6Angel Borroy López
 
Storage and Alfresco
Storage and AlfrescoStorage and Alfresco
Storage and AlfrescoToni de la Fuente
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1Luis Cabaceira
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1Luis Cabaceira
 
Moving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryMoving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryJeff Potts
 
Alfresco Development Framework Basic
Alfresco Development Framework BasicAlfresco Development Framework Basic
Alfresco Development Framework BasicMario Romano
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Toni de la Fuente
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursJ V
 
From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfrescoToni de la Fuente
 
Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138Jose Portillo
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST APIJ V
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2Luis Cabaceira
 
Bulk Export Tool for Alfresco
Bulk Export Tool for AlfrescoBulk Export Tool for Alfresco
Bulk Export Tool for AlfrescoRichard McKnight
 
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...Symphony Software Foundation
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices GuideToni de la Fuente
 
Sizing your alfresco platform
Sizing your alfresco platformSizing your alfresco platform
Sizing your alfresco platformLuis Cabaceira
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Angel Borroy López
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionFrancesco Corti
 
Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 

Más contenido relacionado

La actualidad más candente

Moving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryMoving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryJeff Potts
 
Alfresco Development Framework Basic
Alfresco Development Framework BasicAlfresco Development Framework Basic
Alfresco Development Framework BasicMario Romano
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Toni de la Fuente
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursJ V
 
From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfrescoToni de la Fuente
 
Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138Jose Portillo
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST APIJ V
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseAngel Borroy López
 
Bulk Export Tool for Alfresco
Bulk Export Tool for AlfrescoBulk Export Tool for Alfresco
Bulk Export Tool for AlfrescoRichard McKnight
 
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...Symphony Software Foundation
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices GuideToni de la Fuente
 
Sizing your alfresco platform
Sizing your alfresco platformSizing your alfresco platform
Sizing your alfresco platformLuis Cabaceira
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Angel Borroy López
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionFrancesco Corti
 

La actualidad más candente (20)

Upgrading to Alfresco 6
Upgrading to Alfresco 6Upgrading to Alfresco 6
Upgrading to Alfresco 6
 
Storage and Alfresco
Storage and AlfrescoStorage and Alfresco
Storage and Alfresco
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1
 
Alfresco tuning part1
Alfresco tuning part1Alfresco tuning part1
Alfresco tuning part1
 
Moving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco RepositoryMoving Gigantic Files Into and Out of the Alfresco Repository
Moving Gigantic Files Into and Out of the Alfresco Repository
 
Alfresco Development Framework Basic
Alfresco Development Framework BasicAlfresco Development Framework Basic
Alfresco Development Framework Basic
 
Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014Alfresco Security Best Practices 2014
Alfresco Security Best Practices 2014
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy Behaviours
 
From zero to hero Backing up alfresco
From zero to hero Backing up alfrescoFrom zero to hero Backing up alfresco
From zero to hero Backing up alfresco
 
Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138Jose portillo dev con presentation 1138
Jose portillo dev con presentation 1138
 
Alfresco 5.2 REST API
Alfresco 5.2 REST APIAlfresco 5.2 REST API
Alfresco 5.2 REST API
 
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterpriseHow to migrate from Alfresco Search Services to Alfresco SearchEnterprise
How to migrate from Alfresco Search Services to Alfresco SearchEnterprise
 
Alfresco tuning part2
Alfresco tuning part2Alfresco tuning part2
Alfresco tuning part2
 
Bulk Export Tool for Alfresco
Bulk Export Tool for AlfrescoBulk Export Tool for Alfresco
Bulk Export Tool for Alfresco
 
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
The Alfresco ECM 1 Billion Document Benchmark on AWS and Aurora - Benchmark ...
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
Alfresco Security Best Practices Guide
Alfresco Security Best Practices GuideAlfresco Security Best Practices Guide
Alfresco Security Best Practices Guide
 
Sizing your alfresco platform
Sizing your alfresco platformSizing your alfresco platform
Sizing your alfresco platform
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1
 
Alfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in ActionAlfresco DevCon 2019 - Alfresco Identity Services in Action
Alfresco DevCon 2019 - Alfresco Identity Services in Action
 

Similar a Alfresco Certificates

Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...Andrejs Vorobjovs
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Jakub Kałużny
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
 
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTrivadis
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxssuser865ecd
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017Toni de la Fuente
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 

Similar a Alfresco Certificates (20)

Pulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar clusterPulsar Summit Asia - Running a secure pulsar cluster
Pulsar Summit Asia - Running a secure pulsar cluster
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
Shameful Secrets of Proprietary Network Protocols - OWASP AppSec EU 2014
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
 
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - TrivadisTechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
 
Java security
Java securityJava security
Java security
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017TTL Alfresco Product Security and Best Practices 2017
TTL Alfresco Product Security and Best Practices 2017
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 

Más de Angel Borroy López

Transitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearchTransitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearchAngel Borroy López
 
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 EuropeAlfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 EuropeAngel Borroy López
 
Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherAngel Borroy López
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Angel Borroy López
 
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1Angel Borroy López
 
Docker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoDocker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoAngel Borroy López
 
Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Angel Borroy López
 
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeCSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeAngel Borroy López
 
Alfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAlfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAngel Borroy López
 
Desarrollando una Extensión para Docker
Desarrollando una Extensión para DockerDesarrollando una Extensión para Docker
Desarrollando una Extensión para DockerAngel Borroy López
 
DockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfDockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfAngel Borroy López
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsAngel Borroy López
 
A Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrA Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrAngel Borroy López
 
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaDocker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaAngel Borroy López
 
How to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last ForeverHow to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last ForeverAngel Borroy López
 
10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should Know10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should KnowAngel Borroy López
 

Más de Angel Borroy López (20)

Transitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearchTransitioning from Customized Solr to Out-of-the-Box OpenSearch
Transitioning from Customized Solr to Out-of-the-Box OpenSearch
 
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 EuropeAlfresco integration with OpenSearch - OpenSearchCon 2024 Europe
Alfresco integration with OpenSearch - OpenSearchCon 2024 Europe
 
Using Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms togetherUsing Generative AI and Content Service Platforms together
Using Generative AI and Content Service Platforms together
 
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
Enhancing Document-Centric Features with On-Premise Generative AI for Alfresc...
 
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
La Guía Definitiva para una Actualización Exitosa a Alfresco 23.1
 
Docker Init with Templates for Alfresco
Docker Init with Templates for AlfrescoDocker Init with Templates for Alfresco
Docker Init with Templates for Alfresco
 
Before & After Docker Init
Before & After Docker InitBefore & After Docker Init
Before & After Docker Init
 
Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0Alfresco Transform Services 4.0.0
Alfresco Transform Services 4.0.0
 
Using Podman with Alfresco
Using Podman with AlfrescoUsing Podman with Alfresco
Using Podman with Alfresco
 
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud NativeCSP: Evolución de servicios de código abierto en un mundo Cloud Native
CSP: Evolución de servicios de código abierto en un mundo Cloud Native
 
Alfresco Embedded Activiti Engine
Alfresco Embedded Activiti EngineAlfresco Embedded Activiti Engine
Alfresco Embedded Activiti Engine
 
Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0Alfresco Transform Core 3.0.0
Alfresco Transform Core 3.0.0
 
Desarrollando una Extensión para Docker
Desarrollando una Extensión para DockerDesarrollando una Extensión para Docker
Desarrollando una Extensión para Docker
 
DockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdfDockerCon 2022 Spanish Room-ONBOARDING.pdf
DockerCon 2022 Spanish Room-ONBOARDING.pdf
 
Deploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP PlatformsDeploying Containerised Open-Source CSP Platforms
Deploying Containerised Open-Source CSP Platforms
 
Introduction to AWS
Introduction to AWSIntroduction to AWS
Introduction to AWS
 
A Practical Introduction to Apache Solr
A Practical Introduction to Apache SolrA Practical Introduction to Apache Solr
A Practical Introduction to Apache Solr
 
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de ZaragozaDocker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
Docker 101 - Zaragoza Docker Meetup - Universidad de Zaragoza
 
How to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last ForeverHow to Write Alfresco Addons that Last Forever
How to Write Alfresco Addons that Last Forever
 
10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should Know10 Tips Every New Developer in Alfresco Should Know
10 Tips Every New Developer in Alfresco Should Know
 

Último

%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxalwaysnagaraju26
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfayushiqss
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdfPearlKirahMaeRagusta1
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 

Último (20)

%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 

Alfresco Certificates

  • 1. Angel Borroy Search Team Nov 5, 2020 Cryptographic stores in Alfresco Brown Bag
  • 2. 22 Cryptographic Stores in Alfresco In Theory • Electronic Certificates • Chain of Trust • Public and Private CAs • Cryptographic Stores • mTLS Protocol In Practice • When to use mTLS Communication • Cryptographic Tools • Alfresco KeyStores • Alfresco mTLS Configuration • Using Custom Certificates In Panic • Troubleshooting Java KeyStores
  • 4. 4 $openssl x509 -inAlfresco_Client_Alfresco_CA.pem -text –noout Certificate: Data: Version:3(0x2) SerialNumber:4097(0x1001) SignatureAlgorithm:sha256WithRSAEncryption Issuer:C=GB,ST=UK,L=Maidenhead,O=AlfrescoSoftware Ltd.,OU=Unknown,CN=CustomAlfrescoCA Validity NotBefore:Jun3009:24:082020GMT NotAfter: Jun2809:24:082030GMT Subject:C=GB,ST=UK,O=AlfrescoSoftwareLtd.,OU=Unknown,CN=CustomAlfrescoRepositoryClient SubjectPublicKeyInfo: PublicKeyAlgorithm:rsaEncryption Public-Key:(1024bit) Modulus: 00:a2:89:cf:ff:8d:0b:f6:47:76:fd:66:5b:f5:b6: d8:26:9f:59:b1:3d:58:39:fa:7d:38:5e:0a:61:5e: 5c:dd:e5:50:c2:1c:0d:99:db:26:de:f2:3b:26:47: 5c:d1:8a:f6:e1:a5:04:ec:7c:60:3b:2a:5c:e3:7e: 97:26:59:3a:ed:d7:4a:69:c0:9e:47:5b:a0:03:64: 73:29:35:70:70:e7:1a:a4:b7:5a:c5:a5:08:52:9b: e7:95:72:7e:0d:a4:4d:b6:85:84:e7:c5:4c:7c:fc: 89:93:de:88:f9:c7:9b:52:1f:59:95:04:89:3a:96: b9:e6:a0:e9:e3:d4:08:3a:87 Exponent:65537(0x10001) X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeCertType: SSL Server NetscapeComment: OpenSSL GeneratedServerCertificate X509v3SubjectKeyIdentifier: 84:E1:8B:E1:3C:9E:66:20:79:8F:AE:C5:9E:06:50:23:F2:54:A1:72 X509v3AuthorityKeyIdentifier: keyid:2D:AC:E1:41:70:08:36:16:3F:E5:C9:A8:0C:B1:CF:CF:6B:A4:80:BC DirName:/C=GB/ST=UK/L=Maidenhead/O=AlfrescoSoftwareLtd./OU=Unknown/CN=CustomAlfrescoCA serial:94:78:32:24:4E:A5:07:2B X509v3KeyUsage:critical Digital Signature,KeyEncipherment X509v3ExtendedKeyUsage: TLSWebServerAuthentication X509v3SubjectAlternativeName: DNS:localhost SignatureAlgorithm:sha256WithRSAEncryption 12:4d:81:49:ca:e7:00:13:2e:74:1b:2a:de:41:a5:45:79:45: 34:1c:0b:58:30:a8:a0:a4:f2:52:36:ba:6c:e8:9b:7e:4c:15: 87:86:56:a4:e7:38:0d:13:e5:f3:d1:23:5f:f1:28:d8:d7:d6: 6f:a8:c9:21:ec:aa:9f:7d:4e:79:87:14:b7:d5:8f:e8:cc:67: 2e:1b:84:fd:de:ef:ab:c2:49:e4:8f:9e:a4:2e:49:ef:75:79: cd:7b:e2:a9:16:c6:14:94:2a:70:9e:1e:82:d8:d7:c5:54:b5: 30:bb:17:00:e1:86:5f:5c:c7:fe:da:12:35:6f:33:55:ca:11 Electronic Certificates X509 Certificate Issuer Name DN Common Name CN Distinguished Name DN Dates valid Private Key Public Key Key Usage Policies Issuer Signature This should match with Server DNS Name RSA 1024 bits with SHA 256 Keystore Truststore
  • 5. 5 Electronic Certificates: File Format .pem – Base64 encoded DER certificate, password .cer, .crt, .der – Binary DER form, password .p7b, .p7c – Base 64 Ascii file with PKCS#7, just for public certificate(s) or CRL(s) .p12 – PKCS#12, may contain certificate(s) (public) and private keys, binary format (ASN.1), password .pfx – PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS) -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE----- -----BEGINRSAPRIVATE KEY----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDRSAPRIVATE KEY----- -----BEGINPKCS7-----MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAkdCMQswCQYDVQQIDAJVSzETMBEGA1UEBwwKTWFpZGVuaGVhZDEfMB0GA1UE ... HNFbBC+FX4Kw2NSzTGcdNQTSzGXen//4MN6BkPcHATm0lghIclKejRwZHJ9o3qi1 19vwF3KrjH0SGi8dEgF8iQ== -----ENDPKCS7-----
  • 6. 6 Public and Private CAs CA (Certificate Authority) is an entity that issues electronic certificates. Public CA • Trusted Third-Party for general public, mainly oriented to final users • Issued certificates are trusted by default in Operating Systems and Browsers • The information and services we provide on these servers is open in Internet Private CA • Trusted Third-Party for internal users and services • Issued certificates aren’t trusted by default, so you need to configure computers and servers in order to trust them • The information and services we provide on these servers is restricted to Intranet PUBLICPRIVATE
  • 7. 7 Chain of Trust A certificate must be traceable back to the trust root it was signed with. All public certificates in the chain [server, intermediate(s), and root] need to be present in the truststore. • Root Certificate: A root certificate is a digital certificate that belongs to the issuing Certificate Authority. • Intermediate Certificate(s): Intermediate certificates branch of root certificates like branches of trees. They act as middle- men between the protected root certificates and the server certificates issued. • Server Certificate – The server certificate is the one issued to the specific server -----BEGINRSAPRIVATE KEY----- MIICXAIBAAKBgQCiic//jQv2R3b9Zlv1ttgmn1mxPVg5+n04XgphXlzd5VDCHA2Z ... nD6OWE6wMqGqCkzz/QlGPaR4n3E4cnm8YgsCZJRwZ/Q= -----ENDRSA PRIVATEKEY----- -----BEGINCERTIFICATE----- MIID2DCCA0GgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwfzELMAkGA1UEBhMCR0Ix ... nh6C2NfFVLUwuxcA4YZfXMf+2hI1bzNVyhEZCQ== -----ENDCERTIFICATE----- -----BEGINCERTIFICATE----- MIIC3DCCAkWgAwIBAgIJAJR4MiROpQcrMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV ... 19vwF3KrjH0SGi8dEgF8iQ== -----ENDCERTIFICATE-----
  • 8. 8 Cryptographic Stores Java KeyStores are used to store key material and associated certificates. • Each key store has an overall password used to protect the entire store, and can optionally have per-entry passwords for each secret- or private-key entry. • Java Key Store (JKS) • The original Sun JKS (Java Key Store) format is a proprietary binary format file that can only store asymmetric private keys and associated X.509 certificates. • JCE Key Store (JCEKS) • Sun later updated the cryptographic capabilities of the JVM with the Java Cryptography Extensions (JCE). With this they also introduced a new proprietary key store format: JCEKS. • PKCS#12 • Apart from these proprietary key stores, Java also supports standard PKCS#12 format >> In Alfresco both “keystore” and “truststore” file types are Java Keystores stored in one of the formats described above (JKS, JCEKS, PKCS12)
  • 9. 9 mTLS Protocol TLS Client Keystore Truststore Public Key Public Key Private Key TLS Server Keystore Truststore Public Key Public Key Private Key Hello message Server Public Key Client Public Key Key Validation Encrypted Data
  • 11. 11 When to use mTLS Communication HTTPdefaultINSECUREHTTPprotectedwithpass HTTPS protected with mTLS https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by-default/ba-p/287905
  • 12. 12 Cryptographic Tools Issuing certificates • keytool only supports self-signed certificates and a limited set of policies • openssl allows to create an internal CA and to issue certificates signed by this CA with a full set of policies Managing Certificates and Java KeyStores • Command line • keytool provides the ability to create Java Keystores (JKS, JCEKS, PKCS12) including public and private certificates • Window based programs (keytool wrappers) • Portecle • KeyStore Explorer https://docs.oracle.com/en/java/javase/11/tools/keytool.html https://www.openssl.org/docs/ http://portecle.sourceforge.net https://keystore-explorer.org/index.html
  • 13. 13 Alfresco KeyStores: Repository https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repoand so on) are not relevant, different ones can be used keystore • Not related with mTLS configuration, but with encrypting secrets* ssl.keystore • ssl.repo is the private key used to sign HTTP requests • ssl.alfresco.ca is the public key of the CA issuing the certificates ssl.truststore • alfresco.ca is the public key of the CA issuing the certificates • ssl.repo.client is the public key of the certificate used by SOLR as client * https://docs.alfresco.com/6.2/concepts/alf-keystores.html
  • 14. 14 Alfresco KeyStores: SOLR https://github.com/Alfresco/alfresco-ssl-generator By default all the KeyStores are stored in JCEKS format KeyStore and private certificates are protected by password The alias (ssl.repo and so on) are not relevant, different ones can be used ssl-repo-client.keystore • ssl.repo.client is the private key used to sign HTTP requests • alfresco.ca is the public key of the CA issuing the certificates ssl-repo-client.truststore • ssl.alfresco.ca is the public key of the CA issuing the certificates • ssl.repo is the public key of the certificate used by Repository as client • ssl.repo.client is the public key of the certificate used by SOLR as client >> Zeppelin is connecting with the Alfresco Repository, so the KeyStores are the same from SOLR
  • 15. 15 Alfresco KeyStores: Browser https://github.com/Alfresco/alfresco-ssl-generator Connecting to SOLR Admin Web Console (by default available in https://127.0.0.1:8983/solr) requires a client certificate • This certificate needs to be installed in Windows, Mac OS X and Linux. • When using Mozilla Firefox, the certificate needs also to be installed in that browser.
  • 18. 18 Apache HTTP Client in alfresco.war configuration to send HTTPs queries to SOLR Alfresco mTLS: Repository Properties https://github.com/Alfresco/alfresco-community-repo/blob/8.307/repository/src/main/resources/alfresco/repository.properties#L719 #default keystoreslocation dir.keystore=classpath:alfresco/keystore # general encryption parameters(keystore) encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator encryption.keyAlgorithm=AES encryption.cipherAlgorithm=AES/CBC/PKCS5Padding # secretkey keystore configuration encryption.keystore.location=${dir.keystore}/keystore encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties encryption.keystore.provider= encryption.keystore.type=pkcs12 # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.provider= encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.provider= encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties # SOLRConfiguration solr.port.ssl=8984 solr.secureComms=https ENCRYPTION PROPERTIES Not related with mTLS Configuration Required even when not using mTLS KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key alfresco-global.properties docker-compose.ymlCLASSIC
  • 19. 19 Tomcat Server configuration to receive HTTPs queries from SOLR Alfresco mTLS: Tomcat Repository Connector $ cat /usr/local/tomcat/conf/server.xml ... <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS"> </Connector> </Service> </Server> KEYSTORE Includes Repository private key TRUSTSTORE Includes CA public key and SOLR client public key server.xml Dockerfile TOMCAT CONNECTOR TLS Configuration CLASSIC
  • 20. 20 Apache HTTP Client in solr.war configuration to send HTTPs indexing requests to Alfresco Alfresco mTLS: SOLR Properties https://github.com/Alfresco/SearchServices/blob/2.0.0/search-services/alfresco-search/src/main/resources/solr/instance/templates/rerank/conf/solrcore.properties#L44 # ssl.repo.client.keystore alfresco.encryption.ssl.keystore.type=JCEKS alfresco.encryption.ssl.keystore.provider= alfresco.encryption.ssl.keystore.location=ssl.repo.client.keystore alfresco.encryption.ssl.keystore.passwordFileLocation=ssl-keystore-passwords.properties # ssl.repo.client.truststore alfresco.encryption.ssl.truststore.type=JCEKS alfresco.encryption.ssl.truststore.provider= alfresco.encryption.ssl.truststore.location=ssl.repo.client.truststore alfresco.encryption.ssl.truststore.passwordFileLocation=ssl-truststore-passwords.properties # AlfrescoRepositoryconfiguration alfresco.port.ssl=8443 alfresco.secureComms=https KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solrcore.properties CLASSIC
  • 21. 21 Jetty Server configuration to receive HTTPs queries from Alfresco Alfresco mTLS: Jetty SOLR Server $ cat /opt/alfresco-search-services/solr.in.sh # ssl.repo.client.keystore SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.keystore SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE_PASSWORD=password # ssl.repo.client.truststore SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl-repo-client.truststore SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_TRUST_STORE_PASSWORD=password # Jetty mTLS configuration SOLR_SSL_NEED_CLIENT_AUTH=true KEYSTORE Includes SOLR private key TRUSTSTORE Includes CA public key, Repository client public key and SOLR client public key solr.in.sh solr.in.cmdCLASSIC
  • 22. 22 Alfresco mTLS: SOLR Endpoints Apache HTTP Client from alfresco.war is sending signed HTTPs requests to SOLR Jetty server Search Queries https://127.0.0.1:8983/solr/alfresco/afts https://127.0.0.1:8983/solr/alfresco/browse https://127.0.0.1:8983/solr/alfresco/cmis https://127.0.0.1:8983/solr/alfresco/query https://127.0.0.1:8983/solr/alfresco/select SQL Queries https://127.0.0.1:8983/solr/alfresco/sql Admin Actions https://127.0.0.1:8983/solr/admin
  • 23. 23 Alfresco mTLS: Repository Endpoints Apache HTTP Client from solr.war is sending signed HTTPs requests to Alfresco Tomcat server Indexing requests https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets https://127.0.0.1:8443/alfresco/service/api/solr/acls https://127.0.0.1:8443/alfresco/service/api/solr/aclsReaders https://127.0.0.1:8443/alfresco/service/api/solr/metadata https://127.0.0.1:8443/alfresco/service/api/solr/model https://127.0.0.1:8443/alfresco/service/api/solr/modelsdiff https://127.0.0.1:8443/alfresco/service/api/solr/nodes https://127.0.0.1:8443/alfresco/service/api/solr/textContent https://127.0.0.1:8443/alfresco/service/api/solr/transactions
  • 24. 24 Alfresco mTLS: Sharding mTLS Configuration can be applied to SOLR Shards in the same way. • The same KeyStores can be used for every Shard • A new certificate ssl.client.repocan be generated for each Shard • You need to add these new certificates to Alfresco Repository truststore (ssl.truststore) Sample configuration using DB_ID for two shards is available in: https://github.com/aborroy/solr-sharding-docker-compose/tree/master/ssl_db_id
  • 25. 25 DEMO TIME: Using Custom Certificates 1 - Starting with a working mTLS configuration • Docker Compose for Alfresco Repository • ZIP Distribution file for Alfresco Search SOLR 2 - Create new KeyStores with different values 3 - Copy the new KeyStores but preserve encryption resources: keystore and keystore-passwords.properties 4 - Modify configuration in Alfresco Repository, Apache Tomcat, Alfresco Search SOLR and Jetty • Use pkcs12 as KeyStore Type • Use password as password for the KeyStores CLASSIC $ ./run.sh -alfrescoversioncommunity -keysize 4096 -keystoretype PKCS12 -keystorepass password -truststoretypePKCS12 -truststorepasspassword -alfrescoformatclassic https://github.com/Alfresco/alfresco-ssl-generator
  • 26. 2626
  • 27. 27 Common mistakes: Searching If you are experimenting problems when searching from Alfresco, Share or from the REST API: • Review Alfresco Repository configuration > alfresco-global.properties • Review SOLR Jetty configuration > solr.in.sh|solr.in.cmd https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 solr.port.ssl=8983 solr.secureComms=https dir.keystore=/usr/local/tomcat/alf_data/keystore # ssl.keystore encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore encryption.ssl.keystore.type=JCEKS encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-password.properties # ssl.truststore encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore encryption.ssl.truststore.type=JCEKS encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties SOLR_SSL_TRUST_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore SOLR_SSL_TRUST_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_TRUST_STORE_TYPE=JCEKS SOLR_SSL_KEY_STORE=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore SOLR_SSL_KEY_STORE_PASSWORD=kT9X6oe68t SOLR_SSL_KEY_STORE_TYPE=JCEKS SOLR_SSL_NEED_CLIENT_AUTH=true
  • 28. 28 Common mistakes: Indexing If you are experimenting problems when indexing from SOLR: • Review Alfresco Tomcat configuration > server.xml • Review SOLR properties configuration > solrcore.properties https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" connectionTimeout="20000" SSLEnabled="true" maxThreads="150" scheme="https" keystoreFile="/usr/local/tomcat/alf_data/keystore/ssl.keystore" keystorePass="kT9X6oe68t" keystoreType="JCEKS" secure="true" truststoreFile="/usr/local/tomcat/alf_data/keystore/ssl.truststore" truststorePass="kT9X6oe68t" truststoreType="JCEKS" clientAuth="want" sslProtocol="TLS"> </Connector> alfresco.secureComms=https alfresco.port.ssl=8443 alfresco.encryption.ssl.truststore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.truststore alfresco.encryption.ssl.keystore.provider=JCEKS alfresco.encryption.ssl.truststore.type= alfresco.encryption.ssl.keystore.location=/opt/alfresco-search-services/keystore/ssl.repo.client.keystore alfresco.encryption.ssl.truststore.provider=JCEKS alfresco.encryption.ssl.truststore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-truststore-passwords.properties alfresco.encryption.ssl.keystore.type= alfresco.encryption.ssl.keystore.passwordFileLocation=/opt/alfresco-search-services/keystore/ssl-keystore-passwords.properties
  • 29. 29 Troubleshooting: cURL Testing the configuration with CURL Extract ssl.repo.client certificate from keystores/solr/ssl.repo.client.keystore in PEM format: $ curl -k --cert Custom_Alfresco_Repository_Client_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8443/alfresco/service/api/solr/aclchangesets?fromTime=0&toTime=1603454490108&maxResults=2000" In the other way, extract ssl.repo certificate from keystores/alfresco/ssl.keystore in PEM format $ curl -k --cert Custom_Alfresco_Repository_Custom_Alfresco_CA.pem–v "https://127.0.0.1:8983/solr/alfresco/select?indent=on&q=@sys:node-dbid:101&wt=json"
  • 30. 30 Troubleshooting: Debugging Debugging the configuration The best approach to debug SSL Handshake is not using the Log4j categories, but setting this Java parameter for both Solr and Alfresco web apps: -Djavax.net.debug=ssl:handshake "ClientHello": { "clientversion" :"TLSv1.2", "random" : "79 4D93 54 F9 5983 0C 75 58 73 F8 DE3A 3C B695 57 8F 72 A4FE 92 BBD089 50 C3 A011 849C", "session id" : "49 6134 4C 45 80 A069 75 E3 92 C2 7DF6 2E04 70 3F 6C 4DA191 F0 B8CE79 1C 3B 15 0B 11 F5", "cipher suites" : "[TLS_AES_128_GCM_SHA256(0x1301), TLS_AES_256_GCM_SHA384(0x1302), ... ]", "compression methods" : "00", "extensions" : [ ] } ) "ServerHello": { "server version" : "TLSv1.2", "random" : "30 8C EEE3 E3 08 6D38 FDBC47 5E 9AC5 4C A5AD14 3E 97 DB3E DAC9 BE61 F9 0F88 F3 25 10", "session id" : "", "cipher suite" : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)", "compression methods" : "00", "extensions" : [ "renegotiation_info (65,281)": { "renegotiated connection": [<no renegotiatedconnection>] }, "ec_point_formats (11)": { "formats": [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2] } ] }
  • 31. 31 Troubleshooting: Resources Alfresco Documentation https://docs.alfresco.com/search-community/tasks/solr-install.html https://docs.alfresco.com/search-community/concepts/solr-troubleshooting.html Alfresco Hub https://hub.alfresco.com/t5/alfresco-content-services-blog/creating-self-signed-ssl-certificates-for-solr/ba-p/288477 https://hub.alfresco.com/t5/alfresco-content-services-blog/using-ssl-with-alfresco-search-services-and-solr-6/ba-p/292687 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-mtls-configuration-deep-dive/ba-p/296422 https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-6-1-is-coming-with-mutual-tls-authentication-by- default/ba-p/287905 Blog posts https://angelborroy.wordpress.com/2016/06/15/configuring-alfresco-ssl-certificates/